Skolara will, in connection with our business operations, process personal data. We are committed to handling personal data in a secure and lawful manner.

Our processing of personal data as a data controller is based on the nature and purpose of our business, which is to offer and deliver the Skolara solution. Information about the personal data we process, the legal basis for such processing, the purpose of the processing, the retention period, and other relevant details is provided below.

We may also process personal data in ways not described below; in such cases, we will inform the data subjects through means other than this statement.

We may also act as a data processor on behalf of our customers and in connection with our services, meaning that our customers are responsible for the processing. See further details below.

If you have any questions or would like to know more about our processing of personal data, you may contact us—see the contact information provided below.

1 Controller Responsible for the Processing of Personal Data

Skolara AS is the data controller, meaning it determines the purposes and means of processing personal data for the processing activities described below. This does not apply where we act as a data processor—i.e., when we process personal data on behalf of our customers, see section 4.

Contact details for the data controller:

Skolara AS

Org. no. 933 148 475

Erling Skakkes gate 51 B, 7012 Trondheim

See the contact form at the bottom of this page.

2 Processing of Personal Data

We collect and use personal data for various purposes depending on who you are and how we come into contact with you.

All processing of personal data shall take place in accordance with applicable data protection laws, including the Personal Data Act and the General Data Protection Regulation (GDPR).

Personal data means any information relating to an identified or identifiable natural person (the latter referred to as a “data subject”).

Processing of personal data means any operation performed on personal data, such as collection, registration, organization, structuring, storage, adaptation, alteration, transfer, or deletion.

Where we act as a data processor—that is, when we process personal data on behalf of others—you will receive information about such processing from the data controller. However, you may still contact us regarding the processing of your personal data, and we will refer you to the appropriate data controller. See also below regarding our role as data processor.

Below are the types of processing we carry out as a data controller in our operations.

2.1 Communication and Contact

We process personal data about individuals who contact us in order to respond to and document the communication and to reach out to others. This applies to all forms of communication—physical and digital, written and oral.

In such cases, we process names, phone numbers, email addresses, and any personal data that may be included in the inquiry, including related history or communication logs.

The processing is based on our legitimate interest in processing personal data for the purposes described above (see GDPR Article 6(1)(f)). We have assessed that our legitimate interest in maintaining contact with the public, documenting our business activities, responding to inquiries, and recording such contact is part of our normal business operations. We have further assessed that this processing is necessary to handle incoming inquiries and that the data subjects’ right to privacy does not override these interests.

Providing personal data is voluntary, but necessary for us to be able to respond to inquiries.

We retain the information until we reasonably consider that no further follow-up of the contact will occur, normally for two years.

2.2 E-mail

We use email as a communication tool that contains personal data. The processing is based on our legitimate interest in processing personal data through email (see GDPR Article 6(1)(f)) in order to maintain a working communication system, and the data subjects’ right to privacy does not override these interests.

The personal data processed in emails depends on the purpose of the email and the content included therein. Emails are deleted when no longer necessary, and we have measures in place to ensure regular deletion of emails. Our security systems also have access to emails, but only for automated processing.

2.3 Information and Marketing

If you request information or subscribe to our newsletter, we will send you information about our products and services, offerings from partners, newsletters, and other updates and marketing materials. In this context, we will process your email address and any additional information you provide to us.

We process personal data to inform you about services and products that may be of interest to you, and the processing is based on your consent (GDPR Article 6(1)(a)). You may withdraw your consent at any time by using the unsubscribe options included in the communications you receive, or by contacting us to opt out of direct marketing and/or profiling pursuant to GDPR Article 21(2).

We only process the personal data necessary to perform the distribution—namely, your email address and name, to personalize the communication and ensure it reaches the correct recipient. Your email address and any related information are used solely for sending the newsletter.

Processing continues until you have received the requested information or withdrawn your consent, after which your personal data will be deleted.

2.4 Information About Services

We may also send information about our services and products that does not constitute marketing. This may be done regardless of whether you have provided consent, and the processing of personal data will then be based either on our performance of a contract with you as an existing customer (GDPR Article 6(1)(b)) or on our legitimate interest in informing our users and contacts about our services (GDPR Article 6(1)(f)). Alternatively, we may process the data based on your consent (GDPR Article 6(1)(a)).

The purpose of the processing is to keep you informed about the products and services you receive and to follow up on your purchases of products or services. The processing of personal data will continue for as long as you receive our services.

2.5 Existing and Potential Customers, Suppliers, and Partners

We process personal data about contact persons at existing and potential customers (in business relationships), suppliers, and other partners for sales and marketing activities, to manage our relationships with suppliers and others, to prepare, execute, and document services, and to evaluate the use of such services. In these cases, we process names, contact information, company names, and information related to the individual’s contact with the company they represent.

The processing of personal data is based on our legitimate interest (GDPR Article 6(1)(f)) in managing our relationships with customers, partners, and suppliers, and our interest outweighs the data subject’s right to privacy.

We also store and disclose information where we have a legal obligation to do so, for example under accounting or tax legislation.

Information is stored and processed for as long as necessary, for instance, to document matters related to services.

In many cases, it is necessary for us to obtain personal data in order to enter into agreements with customers and suppliers, for example to document that an agreement has been concluded. If we do not receive the required information, we may be unable to enter into agreements.

Providing personal data is voluntary for contact persons. When we collect personal data from other sources, this will primarily include contact details (such as name, address, phone number, and email), position, role, and employer, as well as relevant qualifications and references. The source of such information will typically be the contact person’s employer—for example, through the employer’s website. In some cases, we obtain references from others to assess the suitability of suppliers or partners.

We retain the information until the relationship with the customer, supplier, or partner ends, or until the contact person no longer serves in that capacity, except where otherwise required as stated above.

2.6 Recruitment

When recruiting for new positions, we process personal data contained in CVs, applications, references, interview notes, and results from reference checks, among other things.

We may use recruitment platforms to manage submitted applications; in such cases, the platform acts as our data processor. If you register on the recruitment platform with your own profile, the platform will act as the data controller, and its privacy policy applies to the processing of personal data within the service. The processing of personal data is based on the consent you have provided through the recruitment platform (GDPR Article 6(1)(a)), where such consent is obtained, or on the legal bases described below.

The primary legal basis for processing personal data during recruitment is that the processing is necessary to take steps prior to entering into an employment contract with the job applicant (GDPR Article 6(1)(b)).

If we conduct additional checks beyond contacting listed references—such as background searches—personal data is processed based on our legitimate interest in ensuring the selection of the right candidate for the position (GDPR Article 6(1)(f)). We have assessed that our legitimate interest in recruiting new employees outweighs the data subject’s right to privacy.

We encourage applicants not to include special categories of personal data—such as information about health, religion, political opinions, or trade union membership—in their applications.

If we process any special category personal data, it will be based on your consent (GDPR Article 9(2)(a)). Consent may be withdrawn at any time, and withdrawal will not affect the lawfulness of processing carried out before the consent was withdrawn.

Personal data is deleted as soon as the recruitment process is completed, unless you have consented to longer retention.

2.7 Social Media

We interact with stakeholders and others through social media. For example, we have established a Facebook page, where we are jointly responsible with Facebook for the processing of personal data related to that page. Personal data is processed through the Facebook page if you post content, comment on posts, or “like”/follow the page. Our purpose in processing personal data via Facebook is to communicate with individuals who wish to interact with us or otherwise engage on our Facebook page—see also section 2.2 on communication.

In this context, we process your name and any other information you have made available on Facebook in connection with your name/account. In addition, we process any content you share through posts and comments on our Facebook page, as well as the fact that you have “liked”/followed our page. What you choose to share on the Facebook page is entirely voluntary.

We ask that you do not share personal data in posts or comments on our page, and in particular that you do not share personal data about others, such as by tagging or mentioning individuals.

We process personal data in social media, such as Facebook, based on our legitimate interest in communicating with the public through such platforms and handling related interactions (GDPR Article 6(1)(f)). We have assessed that this is necessary for us to communicate with the public and respond to inquiries, and that the data subjects’ right to privacy does not outweigh these interests.

The data will be processed for as long as the posts or comments remain available on the social media platform, and you may delete them yourself at any time.

2.8 Use of Websites

We use the following cookies on our websites:

Necessary and functional cookies, as well as cookies for statistical purposes, are processed based on our legitimate interest (GDPR Article 6(1)(f)) in adapting the website to our users, and this interest outweighs the individual’s right to privacy. However, we safeguard visitors’ privacy by using the information solely for statistical purposes. It is not possible to identify individual persons in these statistics. The data will be retained only as long as necessary for the purposes described above.

2.9 Third-Party Integrations (Google Drive and Microsoft OneDrive)

When a user voluntarily connects their Google Drive or Microsoft OneDrive account to Skolara, the user grants Skolara limited read access in order to:

- display file and folder lists (metadata such as name, type, size, and last modified date),

- read the content of files the user explicitly selects for temporary display in Skolara (e.g., previews of documents or presentations).

Skolara does not store copies of files or file content from Google Drive/OneDrive, nor does it modify, move, or delete any files in these services. Access is used only when the user actively browses or opens files within Skolara. We do not scan connected accounts in the background.

2.9.1 Temporary Processing

Technical data such as file lists and previews are processed only during the session for the purpose of displaying the content and are then discarded. We do not create permanent storage, indexes, or catalogs of the user’s files.

2.9.2 Disconnection

The user may disconnect the integration at any time within Skolara and/or revoke access in their Google or Microsoft account settings. Once disconnected, further access is immediately terminated.

3 Processing Based on Consent

If we process personal data based on your consent, as described above, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal. Please contact us if you wish to withdraw your consent. Note that even if you withdraw your consent, we may still process all or part of your data if another legal basis for the processing exists.

4 Storage and retention (deletion) of personal data

We retain personal data for as long as necessary for the purpose for which the data was collected and delete the data in accordance with legal requirements. The retention period varies depending on how the data was collected and the purpose for which it was obtained.

Information on deletion is provided above under the respective processing activities, or the retention period is determined based on the following criteria:

- Whether we have a legal or contractual need to retain the data, such as potential claims directed against us

- Whether the data is necessary for our operations

- Where the processing is based on consent, when the consent is withdrawn

When we no longer have a legitimate ongoing need to process your personal data, it will be deleted or anonymized as soon as possible in accordance with applicable law.

In some cases, instead of deleting personal data, it may be appropriate to anonymize it. Anonymization means that all identifying or potentially identifying characteristics are removed from the retained dataset.

This means, for example, that personal data processed based on your consent will be deleted if you withdraw your consent. Personal data processed to fulfill an agreement with you will be deleted once the agreement has been fulfilled and all obligations arising from the contractual relationship have been met, such as statutory obligations related to accounting or customer follow-up concerning complaints, etc. Personal data processed due to legal obligations will be deleted as soon as we are no longer required by law to retain it.

5 Processing of personal data as part of Skolara

Customers who use Skolara are the data controllers for the personal data processed through the use of Skolara. In such cases, we process personal data on behalf of the customer and act as the data processor. A data processing agreement has been entered into between us and the customers to regulate our processing of personal data on their behalf.

The information in this privacy statement also applies to our processing of personal data concerning our customers’ users in relation to the disclosure and transfer of personal data, as well as security and technical matters. The deletion of personal data depends on when the customer chooses to delete the data. We will never use information or data from our services without instruction or approval from our customers.

We send emails to contact persons at users of Skolara and our customers to provide information about the services, such as technical matters, upgrades, new functionality, etc., in addition to automatically generated emails. Recipients may unsubscribe or inform us that they do not wish to receive such emails. See more below.

Below we have included a general description of the processing activities that take place in Skolara. The data controller is responsible for providing information about the processing being carried out, even though we act as the data processor. However, we have made this information available to make it easier for users to gain insight into the processing performed.

5.1 Purpose of the Processing

The purpose of the processing of personal data is to deliver the functions and perform the tasks that constitute the intended use of Skolara. This includes, among other things, importing class maps, recording students’ first names, and organizing the placement of students, etc.

5.2 Processing Performed Within the Service

The following processing of personal data will take place within the service:

- Collection and registration of personal data that can be linked to users of the services and others registered in the service (personal data), see further details below.

- Registration of names and contact information, first names and seating positions of students, as well as any relevant considerations related to students that must be taken into account when assigning seats. Usage logs of Skolara will also be generated. The personal data concerns users of Skolara, including administrators within organizations such as schools, teachers, and students.

- Integration with other systems, which may involve combining, modifying, or transferring personal data to those systems.

- Calculation of statistics and analyses, presented in reports. These reports will not contain personal data.

- Backup of data (including personal data).

- Operational personnel use their administrator access to provide user support and perform maintenance on the data and operational resources (servers, databases, user accounts, etc.) of the data controller.

The legal basis for processing personal data depends on the purpose of the processing determined by our customer (the data controller). However, processing will normally be carried out to improve the school environment and support learning, as required by the Education Act, and because there may be a legitimate interest within the organization in fostering a better classroom environment.

We will also act as the data controller for certain personal data processed in connection with our services, which includes:

5.3 Usage analysis (session length and retention)

We collect limited usage statistics in Skolara to understand how the solution is used and to improve the product (for example, session duration and how many users continue to use the solution over time).

This may include:

- Activity used to calculate session start/session end and approximate duration.

- Daily and weekly activity (e.g. DAU/WAU) and retention/cohort analysis at an aggregated level.

- High-level information about which parts of the solution are used (based on server-side activity/API calls).

Privacy:

- We do not store email addresses or user IDs directly in the usage statistics. We use a pseudonymized key (HMAC) to calculate retention without storing direct identifiers.

- Usage statistics are not shared with third parties and are not used for marketing purposes.

5.4 System Monitoring, Error Correction etc.

We monitor our systems for errors and issues. Some of these processes involve the storage and processing of personal data. The legal basis for processing personal data for this purpose is our legitimate interest, as we consider it necessary to ensure that our systems and solutions are free from errors and operational problems.

5.5 Security

We process personal data as part of our efforts to protect our solutions and services, users, and ourselves against security breaches, fraudulent activities, misuse, etc. The legal basis for processing personal data for this purpose is our legitimate interest, as well as our obligations under data protection regulations to ensure the security of personal data, cf. GDPR Articles 24 and 32, and our contractual obligations toward our customers under the data processing agreements entered into with them.

5.6 Compliance With Legal Obligations

We may be required to process personal data in order to comply with other legal obligations, such as preserving data in connection with legal disputes, disclosure requests, etc. The legal basis for processing personal data for this purpose is that the processing is necessary to fulfill a legal obligation incumbent upon us.

5.7 Communication to Users

We may send information about the solution to its users to inform them about availability, functionality, and other matters necessary for them to be aware of. Such communications are made based on our legitimate interest in keeping users informed about the solution. You may opt out of these communications; however, we recommend that you do not, as you may otherwise miss important information.

5.8 Your Rights

If we act as the data processor for the processing of personal data as described above, you must contact the data controller to exercise your rights. However, the rights you have will generally be the same as those listed below. If you contact us, we can assist by directing you to the data controller, provided we have this information.

If we are the data controller, you can find more information about your rights below, and you may contact us to exercise them.

6 Transfer or Disclosure of Personal Data to Others

We do not disclose personal data to others except as stated in this Privacy Policy or where there is a lawful basis for doing so. Such a basis typically includes an agreement with or consent from the data subject, or a legal obligation requiring us to disclose the information. The latter applies to public authorities such as tax collection (where necessary), accountants/auditors, and other entities we rely on in our operations, such as banking partners.

We use data processors to collect, store, or otherwise process personal data on our behalf. In such cases, we have entered into agreements to ensure your rights and the security of your personal data throughout all stages of the processing.

If required by law, or if there is suspicion of a criminal offense in connection with the use of our services, personal data we have stored about you may be disclosed to public authorities, such as the police during investigations.

If personal data may be subject to transfer to another organization in connection with a merger, financing, reorganization, or dissolution transaction involving all or part of our business, such transfer will only take place if the parties have entered into an agreement restricting the collection, use, and sharing of personal data to purposes related to the transaction, including determining whether to proceed with it. The personal data may only be used by the involved parties to execute and complete the transaction. If another company acquires us or our business or assets, that company will gain access to the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this Privacy Policy.

7 Transfer of Personal Data to Recipients in Countries Outside the EEA

It is our objective that all processing of personal data takes place within the EEA; however, we may use service providers or process personal data outside the EEA. In such cases, the transfer and processing of personal data outside the EEA (to third countries) will occur only in countries approved by the European Commission or in accordance with a valid legal basis for the transfer of personal data under GDPR Chapter V. If the transfer does not take place to a country approved by the European Commission, it will only occur subject to the safeguards set out in GDPR Article 46(2). You may contact us for information about the legal basis used for such transfers.

8 Security of Processing

We place a high priority on the security of personal data in our operations and will implement all required technical and organizational measures to safeguard your personal data.

We handle information so that it is accurate, available, and managed in accordance with the sensitivity of the data. We also use a range of security technologies and information-security procedures to protect personal data from unauthorized access, use, or disclosure. Risk assessments are conducted for the processing of personal data.

We have entered into data processing agreements with all our suppliers who process personal data, under which they undertake the same level of security as we apply to our own processing.

We limit access to personal data to personnel or third parties who will process the data on our behalf. These parties are subject to confidentiality obligations.

Procedures are in place for handling information-security incidents and personal data breaches. If a breach occurs that poses a risk to the privacy of the affected personal data, we will notify the Norwegian Data Protection Authority as soon as possible and no later than 72 hours after the breach was discovered. If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, we will also notify those individuals.

9 Your Rights When We Process Personal Data About You

Below are your rights regarding the processing of personal data. To exercise these rights, you must contact us using the contact details provided above or by another method if specified below.

We will respond to your inquiry as soon as possible and no later than within one month. If it takes longer than one month, you will be notified.

We may ask you to confirm your identity or provide additional information before allowing you to exercise your rights. This is to ensure that access to your personal data is granted only to you—and not to anyone impersonating you.

The rights listed below apply where we act as the data controller (see above). If we are acting as a data processor for our customers, and you use services provided by one of our customers, that customer is responsible for the processing of your personal data (the data controller). You must then contact the service provider directly to exercise your rights regarding their processing of your personal data. In essence, your rights will correspond to those described below.

9.1 Right to Information

You have the right to receive information about the personal data we process about you. Through this statement, we inform you about our processing of personal data. You may also contact us if you wish to obtain further information.

If we have disclosed your personal data to others, we are obliged to inform the recipient of any request for rectification or deletion of personal data (see Section 10.3 below) or any restriction of processing (see Section 10.5 below), unless such notification is impossible or involves a disproportionate effort. We are also required to inform you of such disclosure if you request it.

9.2 Right of Access

You have the right to request access to the personal data that is being processed about you. Contact us if you wish to exercise this right. If you have registered an account in Skolara, most of the information you have provided can be managed within the service, provided it has not been deleted (see above).

Upon request, you will also receive a copy of the personal data we process about you. We may ask you to specify which data you want a copy of to facilitate the process. When providing a copy of your personal data, we may require you to verify your identity to ensure that personal data is not disclosed to unauthorized parties. The information will be provided in digital form unless you request another method of delivery.

9.3 Modification and Deletion

You may also ask us to correct any inaccurate information we hold about you or request the deletion of your personal data. If you are a registered user, you can also edit or delete certain information directly through Skolara. Deleting your user account will also result in the deletion of all associated data. We will comply with requests for deletion to the extent possible; however, we may not be able to do so if the data is still required for legitimate purposes.

9.4 Processing Based on Consent

If we process personal data based on your consent, you may withdraw your consent at any time. The easiest way to do so is by using the method indicated when you provided your consent or by contacting us directly.

9.5 Right to Restrict or Object to Processing

You may request that our processing of your personal data be restricted in certain cases, provided the conditions for such restriction are met. When processing is restricted, the personal data will only be stored. See further details in GDPR Article 21.

Where our processing is based on legitimate interests, you have the right to object to the processing of your personal data. If you object, we shall cease the relevant processing unless there are compelling legitimate grounds for continuing it.

You may also opt out of the processing of personal data concerning you for marketing purposes, including profiling to the extent that it relates to direct marketing, cf. GDPR Article 22(2).

9.6 Right to Data Portability

For data you have provided to us that is necessary to fulfill an agreement with us and is processed automatically (i.e., not manually), you may request to have your personal data disclosed or transferred to another provider in a structured, commonly used, and machine-readable format (data portability). The cost of such a transfer will, in that case, be borne by the customer.

9.7 Automated Processing, Including Profiling

No automated processing, including profiling, will be carried out based on your personal data that produces legal effects concerning you or otherwise significantly affects you. See GDPR Article 22(1) and (4).

9.8 Right to Be Notified

If a personal data breach occurs—meaning a security breach that is likely to result in a high risk to your privacy—we will notify you without undue delay.

10 Complaints

If you believe that our processing of personal data is not in accordance with what is described here, or that we otherwise violate data protection laws, you may file a complaint with the Norwegian Data Protection Authority (Datatilsynet). However, we encourage you to contact us first so that we can correct any errors as quickly as possible.

You can find information about your rights and how to contact the Data Protection Authority on their website: www.datatilsynet.no.

11 Changes

If there are changes in our processing of personal data or in the regulations governing such processing, this may result in updates to the information provided here. If the changes directly affect you and are relevant to your privacy, we may contact you if we have your contact details. Otherwise, the most recent version of this Privacy Policy will always be available on our website.